question

VincenzoContiello-9686 avatar image
0 Votes"
VincenzoContiello-9686 asked AllenXu-MSFT answered

SharePoint 2016 workflow permission problem

I have a SP2016 site collection
The Farm is composed as follows:
Domain server = DomainSPxxx
Frontend server = FrontendSP
Database server = DatabaseSP

The site collection has two extensions:
1) default (http): with Windows Auth access to the DomainSPxxx.com domain
2) internet with mixed access (https): with Windows Auth access to the DomainSPxxx.com domain and Form Based access with LDAP provider always associated with the DomainSPxxx.com domain

When a domain account authenticates with Windows Auth the username displayed is: userx@DomainSPxxx.com when it is connected with ldap it will be like '0#.f|ldapmember:userx|userx@DomainSPxxx.com'

On the extension default only the administrative accounts are used.
This extension is used exclusively for service / maintenance activities. For example, the document search crawl is performed on it.

Problem.
I have developed a workflow that performs operations on SP lists.
Given that :
The workflow manager is configured correctly
The user profile is configured correctly
That the two services are active.
The Worflow app for the site is active and correctly configured throw appinv.asxp page
StsApplication Pool Load profile is true
Worflow can use app feature is active

Explain problem
In practice, when the workflow from the https internet extension is launched, for each operation performed (for example reading records) and as if the system requires the presence of the domain user for the document library.

Example:
user '0 # .f | ldapmember: userx | userx@DomainSPxxx.com' collaborator on list 'TestList'
If the workflow performs a read operation on document library 'TestList' with user '0#.f|ldapmember:userx|userx@DomainSPxxx.com', this fails indicating resource access problems. I checked the SP log.
Below is an except:
CAML query: <View Scope = "RecursiveAll"> <Query> <Where> <Eq> <FieldRef Name = "ID" /> <Value Type = "Counter"> 8 </Value> </Eq> </Where>
</Query> <ViewFields> <FieldRef Name = "ContentTypeId" /> <FieldRef Name = "Title" /> <FieldRef Name = "ID" />
<FieldRef Name = "Created" /> <FieldRef Name = "Author" LookupId = "TRUE" /> <FieldRef Name = "Modified" />
<FieldRef Name = "Editor" LookupId = "TRUE" />....

Exception occured in scope Microsoft.SharePoint.SPListItemEntityCollection.GetById. Exception = System.ArgumentException: Element does not exist.
It may have been deleted by another user.

Actually the element exists I tried to launch the query from url with user '0#.f|ldapmember:userx|userx@DomainSPxxx.com' connected and the data is returned

It is as if the calls made from the workflow claim access only through domain accounts authenticated with Windows auth.
In the case of the above example it is not enough to give the right permissions on the collection for the account '0#.f|ldapmember:userx|userx@DomainSPxxx.com',
but to make the calls work you must give the same permissions for the account userx@DomainSPxxx.com.
Below is an extract from the log with some records that make me suspicious:

This is what I noticed:

Medium Name=Request (GET:https://testsite.domainspxxx.com/_api/web/lists(guid'4255a977-6694-4080-b065-0c685b28538b')/Items(8))
High Reached maximum number of failed machines based on ping results for this routing group
Unexpected User-Agent is empty
High Did not find token claim in token. ClaimType: 'scope'.
High Did not find token claim in token. ClaimType: 'scp'.
High Did not find token claim in token. ClaimType: 'clientappid'.
High Did not find token claim in token. ClaimType: 'appid'.
High Did not find token claim in token. ClaimType: 'roles'.
High Token is for a windows account.
Medium Couldn't find a user using property 'WorkEmail' of value 'userx@DomainSPxxx.it'
High GetUserProfile_RetrieveUser_Cache ExpectedFailure: Microsoft.Office.Server.UserProfiles.UserNotFoundException:
An error was encountered while retrieving the user profile. at Microsoft.Office.Server.UserProfiles.UserProfileCache.GetUserData
(UserProfileManager objManager, Nullable`1 recordId, Guid gAcct, String strAcct, Byte[] bSid, String strEmail,
Boolean doNotResolveToMasterAccount) at Microsoft.Office.Server.UserProfiles.UserProfile.RetrieveUser(String strAcct, Guid gAcct, Byte[] bSid,
Nullable`1 recordId, Boolean doNotResolveToMasterAccount, Boolean loadFullProfile, Boolean loadColleagueRecordIds, String strEmail)
Medium Leaving Monitored Scope: (UserProfile.RetrieveUserFromCache) Execution Time=8.87822334961566; CPU Milliseconds=3; SQL Query Count=1;
Parent=Executing the user mapping operation in GetMappedIdentityClaim()
Medium Couldn't find a user using property 'SID' of value 'System.Byte[]'
Unexpected SPSecurityTokenServiceManager!EnsureSharePointLogonRequestClaims: InputIdentity doesn't conatin a PrimarySid claim.
Thanks

sharepoint-dev
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@VincenzoContiello-9686 ,

I am trying to reproduce this issue on my end and I'll get back to you if there is any update. Much appreciated for your patience and time.

0 Votes 0 ·

hello, did you find something?

0 Votes 0 ·

1 Answer

AllenXu-MSFT avatar image
0 Votes"
AllenXu-MSFT answered

Hi @VincenzoContiello-9686,

I couldn't reproduce this issue on my end and I'm afraid it's hard to go on further troubleshooting. Suggest you to open a ticket with Microsoft, more experienced expert will give you instant assistance. Thanks for your understanding.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.